You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

McAfee updates blocked, browsers hijacked, and more

1) McAfee security center is closed, not by me. No longer comes up automatically on start-up. When I do start it up, it tries to update and the update times out and McAfee posts a message that I need to reinstall it. See #2 for why I can't reinstall.2) Cannot get to any web site that contains the word mcafee. The page tries to load for a very long time and then I get a message that the network connection has been interrupted. I have tried to look at this error page with view source and I just get a plain white page. This evil thing is even blocking view source!3) Cannot get to any really useful anti-malware sites, including bleepingcomputer.com. For that reason, I am communicating from a desktop that I also own, not the infected computer. I emailed the dds.scr to my laptop (the infected one) and it will start up, the black screen is there for about a half a second, and then it is killed. So I cannot provide the files from that scan. I have to only send you hijackthis info because it's all I have.4) Both IE and Firefox browsers have been hijacked so that when I google airline, for example, and click on Southwest Airline's link, the browser goes past the SW Airlines page to some travel agency site. I can hit the back button to get to the SW Airlines site. I have a list of a few of the sites that the browsers are redirected to, if that's useful. (Why can't these guys be caught based on who their clients are??)5) I installed windows updates last night, the ones that install when you shut down. They hung, in other words, the computer stayed in the state where the screen says "don't turn off or unplug your computer while updates are installing" overnight, never shutting off. When I forcibly rebooted this morning, it said new updates had been installed, but I'm not so sure I can even get Windows updates.

I worked as a software engineer for 17 years, so I can get around the computer with ease, although Unix was what I worked on, not PCs. So I don't know the down and dirty details of a PC's inner workings and greatly appreciate any help you can give me.

Please let me know if there's any other information I can gather to help diagnose.

BC AdBot (Login to Remove)

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.

Please as a test go to start => Run => type cmd in the run box and click OK. Do the same for: regedit

To get an idea about the current condition of you computer download random's system information tool (RSIT) by random/random from here and save it to your desktop.

Double click on RSIT.exe to run RSIT.

Set the list of files/folders created to 3 Months and click Continue at the disclaimer screen.

Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized).

Note 1: If you have difficulty finding the logs, the logs are in this folder: C:\rsit

Note 2: The tool takes not more than one minute to scan the system.

You might want to save this page on your favorites, so you can find it again when you return.

Computer Name: RUFFIANEvent Code: 1517Message: Windows saved user RUFFIAN\Sundial registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Computer Name: RUFFIANEvent Code: 1524Message: Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

THANK YOU, THANK YOU, THANK YOU!!!!! I am so very relieved. Even before I removed the file (it must have been hidden because I had to do a search for all files with xaq -- it didn't show up in the list of files), McAfee came up on its own like it used to. Its update succeeded, I can go to bleepingcomputer.com from the previously infected computer, my browsers don't seem to be redirecting. In short, everything seems fine.

If I can ask two more things:

First, what, other than a full scan with McAfee, do I need to do to ensure my computer is now secure? I loaded Windows Defender and Ad Aware. Should I use them also or is McAfee enough?

Second, is there any way I can figure out HOW I managed to get this virus/malware/whatever it was? I am pretty careful about what web sites I visit, opening attachments in email, etc. I would love to know what I did because I sure don't want to do it again! Plus I would love it if these guys could be nailed.

First, what, other than a full scan with McAfee, do I need to do to ensure my computer is now secure? I loaded Windows Defender and Ad Aware. Should I use them also or is McAfee enough?

I don't see any other infection on your log. The trojan we removed doesn't come with much of companions.

You may use Ad-Aware and Windows Defender.

Second, is there any way I can figure out HOW I managed to get this virus/malware/whatever it was?

I'm not sure, going to a bad site, watching a video on line, downloading a smiley or those who use p2p programs might get it from there.

++++++++++++++++++++++++++++

First Set a New Restore Point then Remove the Old Restore Points to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.